988dca6269410339e1c1eb329a2b610029bfc5a3b80e7aeb0a9c9fc7f2509db2

General

Target

988dca6269410339e1c1eb329a2b610029bfc5a3b80e7aeb0a9c9fc7f2509db2.exe
Size

236KB
MD5

a0ccf77a8c5c03334cda7233cc06d91a
SHA1

d54ab50b7bcf70c020d8f9ce4bd8c5921d12b7ee
SHA256

988dca6269410339e1c1eb329a2b610029bfc5a3b80e7aeb0a9c9fc7f2509db2
SHA512

bfc62f03a0724d3dc8dd4027c9a8ac9aff46ee1dced8c54a95f641d25c62d8c9f52244e100f04306e6696c8dbda648398bf04218fa1082c6b748cf95d1aa8fe3
SSDEEP

6144:GuVmC7m5WHMYuXz9kXGk4rMwWKg57IAh0:D4Yu2ard2O

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

alxaq.exealxaq.EXE

pid process

1588 alxaq.exe
1592 alxaq.EXE

pid	process
1588	alxaq.exe
1592	alxaq.EXE

Loads dropped DLL 2 IoCs

Processes:

988dca6269410339e1c1eb329a2b610029bfc5a3b80e7aeb0a9c9fc7f2509db2.EXE

pid	process
1840	988dca6269410339e1c1eb329a2b610029bfc5a3b80e7aeb0a9c9fc7f2509db2.EXE
1840	988dca6269410339e1c1eb329a2b610029bfc5a3b80e7aeb0a9c9fc7f2509db2.EXE

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

alxaq.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\Currentversion\Run	alxaq.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\{C85CA746-7A58-4EEE-A205-C7EAE2BB773B} = "C:\\Users\\Admin\\AppData\\Roaming\\Sauxu\\alxaq.exe"	alxaq.EXE

Suspicious use of SetThreadContext 3 IoCs

Processes:

988dca6269410339e1c1eb329a2b610029bfc5a3b80e7aeb0a9c9fc7f2509db2.exealxaq.exe988dca6269410339e1c1eb329a2b610029bfc5a3b80e7aeb0a9c9fc7f2509db2.EXE

description	pid	process	target process
PID 1184 set thread context of 1840	1184	988dca6269410339e1c1eb329a2b610029bfc5a3b80e7aeb0a9c9fc7f2509db2.exe	988dca6269410339e1c1eb329a2b610029bfc5a3b80e7aeb0a9c9fc7f2509db2.EXE
PID 1588 set thread context of 1592	1588	alxaq.exe	alxaq.EXE
PID 1840 set thread context of 1828	1840	988dca6269410339e1c1eb329a2b610029bfc5a3b80e7aeb0a9c9fc7f2509db2.EXE	cmd.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

Processes:

988dca6269410339e1c1eb329a2b610029bfc5a3b80e7aeb0a9c9fc7f2509db2.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Privacy	988dca6269410339e1c1eb329a2b610029bfc5a3b80e7aeb0a9c9fc7f2509db2.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	988dca6269410339e1c1eb329a2b610029bfc5a3b80e7aeb0a9c9fc7f2509db2.EXE

Suspicious behavior: EnumeratesProcesses 24 IoCs

Processes:

alxaq.EXE

pid	process
1592	alxaq.EXE
1592	alxaq.EXE
1592	alxaq.EXE
1592	alxaq.EXE
1592	alxaq.EXE
1592	alxaq.EXE
1592	alxaq.EXE
1592	alxaq.EXE
1592	alxaq.EXE
1592	alxaq.EXE
1592	alxaq.EXE
1592	alxaq.EXE
1592	alxaq.EXE
1592	alxaq.EXE
1592	alxaq.EXE
1592	alxaq.EXE
1592	alxaq.EXE
1592	alxaq.EXE
1592	alxaq.EXE
1592	alxaq.EXE
1592	alxaq.EXE
1592	alxaq.EXE
1592	alxaq.EXE
1592	alxaq.EXE

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

988dca6269410339e1c1eb329a2b610029bfc5a3b80e7aeb0a9c9fc7f2509db2.EXEcmd.exeWinMail.exe

description	pid	process
Token: SeSecurityPrivilege	1840	988dca6269410339e1c1eb329a2b610029bfc5a3b80e7aeb0a9c9fc7f2509db2.EXE
Token: SeSecurityPrivilege	1840	988dca6269410339e1c1eb329a2b610029bfc5a3b80e7aeb0a9c9fc7f2509db2.EXE
Token: SeSecurityPrivilege	1840	988dca6269410339e1c1eb329a2b610029bfc5a3b80e7aeb0a9c9fc7f2509db2.EXE
Token: SeSecurityPrivilege	1828	cmd.exe
Token: SeManageVolumePrivilege	1928	WinMail.exe

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

988dca6269410339e1c1eb329a2b610029bfc5a3b80e7aeb0a9c9fc7f2509db2.exealxaq.exeWinMail.exe

pid process

1184 988dca6269410339e1c1eb329a2b610029bfc5a3b80e7aeb0a9c9fc7f2509db2.exe
1588 alxaq.exe
1928 WinMail.exe

pid	process
1184	988dca6269410339e1c1eb329a2b610029bfc5a3b80e7aeb0a9c9fc7f2509db2.exe
1588	alxaq.exe
1928	WinMail.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

988dca6269410339e1c1eb329a2b610029bfc5a3b80e7aeb0a9c9fc7f2509db2.exe988dca6269410339e1c1eb329a2b610029bfc5a3b80e7aeb0a9c9fc7f2509db2.EXEalxaq.exealxaq.EXE

description	pid	process	target process
PID 1184 wrote to memory of 1840	1184	988dca6269410339e1c1eb329a2b610029bfc5a3b80e7aeb0a9c9fc7f2509db2.exe	988dca6269410339e1c1eb329a2b610029bfc5a3b80e7aeb0a9c9fc7f2509db2.EXE
PID 1184 wrote to memory of 1840	1184	988dca6269410339e1c1eb329a2b610029bfc5a3b80e7aeb0a9c9fc7f2509db2.exe	988dca6269410339e1c1eb329a2b610029bfc5a3b80e7aeb0a9c9fc7f2509db2.EXE
PID 1184 wrote to memory of 1840	1184	988dca6269410339e1c1eb329a2b610029bfc5a3b80e7aeb0a9c9fc7f2509db2.exe	988dca6269410339e1c1eb329a2b610029bfc5a3b80e7aeb0a9c9fc7f2509db2.EXE
PID 1184 wrote to memory of 1840	1184	988dca6269410339e1c1eb329a2b610029bfc5a3b80e7aeb0a9c9fc7f2509db2.exe	988dca6269410339e1c1eb329a2b610029bfc5a3b80e7aeb0a9c9fc7f2509db2.EXE
PID 1184 wrote to memory of 1840	1184	988dca6269410339e1c1eb329a2b610029bfc5a3b80e7aeb0a9c9fc7f2509db2.exe	988dca6269410339e1c1eb329a2b610029bfc5a3b80e7aeb0a9c9fc7f2509db2.EXE
PID 1184 wrote to memory of 1840	1184	988dca6269410339e1c1eb329a2b610029bfc5a3b80e7aeb0a9c9fc7f2509db2.exe	988dca6269410339e1c1eb329a2b610029bfc5a3b80e7aeb0a9c9fc7f2509db2.EXE
PID 1184 wrote to memory of 1840	1184	988dca6269410339e1c1eb329a2b610029bfc5a3b80e7aeb0a9c9fc7f2509db2.exe	988dca6269410339e1c1eb329a2b610029bfc5a3b80e7aeb0a9c9fc7f2509db2.EXE
PID 1184 wrote to memory of 1840	1184	988dca6269410339e1c1eb329a2b610029bfc5a3b80e7aeb0a9c9fc7f2509db2.exe	988dca6269410339e1c1eb329a2b610029bfc5a3b80e7aeb0a9c9fc7f2509db2.EXE
PID 1184 wrote to memory of 1840	1184	988dca6269410339e1c1eb329a2b610029bfc5a3b80e7aeb0a9c9fc7f2509db2.exe	988dca6269410339e1c1eb329a2b610029bfc5a3b80e7aeb0a9c9fc7f2509db2.EXE
PID 1840 wrote to memory of 1588	1840	988dca6269410339e1c1eb329a2b610029bfc5a3b80e7aeb0a9c9fc7f2509db2.EXE	alxaq.exe
PID 1840 wrote to memory of 1588	1840	988dca6269410339e1c1eb329a2b610029bfc5a3b80e7aeb0a9c9fc7f2509db2.EXE	alxaq.exe
PID 1840 wrote to memory of 1588	1840	988dca6269410339e1c1eb329a2b610029bfc5a3b80e7aeb0a9c9fc7f2509db2.EXE	alxaq.exe
PID 1840 wrote to memory of 1588	1840	988dca6269410339e1c1eb329a2b610029bfc5a3b80e7aeb0a9c9fc7f2509db2.EXE	alxaq.exe
PID 1588 wrote to memory of 1592	1588	alxaq.exe	alxaq.EXE
PID 1588 wrote to memory of 1592	1588	alxaq.exe	alxaq.EXE
PID 1588 wrote to memory of 1592	1588	alxaq.exe	alxaq.EXE
PID 1588 wrote to memory of 1592	1588	alxaq.exe	alxaq.EXE
PID 1588 wrote to memory of 1592	1588	alxaq.exe	alxaq.EXE
PID 1588 wrote to memory of 1592	1588	alxaq.exe	alxaq.EXE
PID 1588 wrote to memory of 1592	1588	alxaq.exe	alxaq.EXE
PID 1588 wrote to memory of 1592	1588	alxaq.exe	alxaq.EXE
PID 1588 wrote to memory of 1592	1588	alxaq.exe	alxaq.EXE
PID 1592 wrote to memory of 1128	1592	alxaq.EXE	taskhost.exe
PID 1592 wrote to memory of 1128	1592	alxaq.EXE	taskhost.exe
PID 1592 wrote to memory of 1128	1592	alxaq.EXE	taskhost.exe
PID 1592 wrote to memory of 1128	1592	alxaq.EXE	taskhost.exe
PID 1592 wrote to memory of 1128	1592	alxaq.EXE	taskhost.exe
PID 1592 wrote to memory of 1220	1592	alxaq.EXE	Dwm.exe
PID 1592 wrote to memory of 1220	1592	alxaq.EXE	Dwm.exe
PID 1592 wrote to memory of 1220	1592	alxaq.EXE	Dwm.exe
PID 1592 wrote to memory of 1220	1592	alxaq.EXE	Dwm.exe
PID 1592 wrote to memory of 1220	1592	alxaq.EXE	Dwm.exe
PID 1592 wrote to memory of 1284	1592	alxaq.EXE	Explorer.EXE
PID 1592 wrote to memory of 1284	1592	alxaq.EXE	Explorer.EXE
PID 1592 wrote to memory of 1284	1592	alxaq.EXE	Explorer.EXE
PID 1592 wrote to memory of 1284	1592	alxaq.EXE	Explorer.EXE
PID 1592 wrote to memory of 1284	1592	alxaq.EXE	Explorer.EXE
PID 1592 wrote to memory of 1840	1592	alxaq.EXE	988dca6269410339e1c1eb329a2b610029bfc5a3b80e7aeb0a9c9fc7f2509db2.EXE
PID 1592 wrote to memory of 1840	1592	alxaq.EXE	988dca6269410339e1c1eb329a2b610029bfc5a3b80e7aeb0a9c9fc7f2509db2.EXE
PID 1592 wrote to memory of 1840	1592	alxaq.EXE	988dca6269410339e1c1eb329a2b610029bfc5a3b80e7aeb0a9c9fc7f2509db2.EXE
PID 1592 wrote to memory of 1840	1592	alxaq.EXE	988dca6269410339e1c1eb329a2b610029bfc5a3b80e7aeb0a9c9fc7f2509db2.EXE
PID 1592 wrote to memory of 1840	1592	alxaq.EXE	988dca6269410339e1c1eb329a2b610029bfc5a3b80e7aeb0a9c9fc7f2509db2.EXE
PID 1840 wrote to memory of 1828	1840	988dca6269410339e1c1eb329a2b610029bfc5a3b80e7aeb0a9c9fc7f2509db2.EXE	cmd.exe
PID 1840 wrote to memory of 1828	1840	988dca6269410339e1c1eb329a2b610029bfc5a3b80e7aeb0a9c9fc7f2509db2.EXE	cmd.exe
PID 1840 wrote to memory of 1828	1840	988dca6269410339e1c1eb329a2b610029bfc5a3b80e7aeb0a9c9fc7f2509db2.EXE	cmd.exe
PID 1840 wrote to memory of 1828	1840	988dca6269410339e1c1eb329a2b610029bfc5a3b80e7aeb0a9c9fc7f2509db2.EXE	cmd.exe
PID 1840 wrote to memory of 1828	1840	988dca6269410339e1c1eb329a2b610029bfc5a3b80e7aeb0a9c9fc7f2509db2.EXE	cmd.exe
PID 1840 wrote to memory of 1828	1840	988dca6269410339e1c1eb329a2b610029bfc5a3b80e7aeb0a9c9fc7f2509db2.EXE	cmd.exe
PID 1840 wrote to memory of 1828	1840	988dca6269410339e1c1eb329a2b610029bfc5a3b80e7aeb0a9c9fc7f2509db2.EXE	cmd.exe
PID 1840 wrote to memory of 1828	1840	988dca6269410339e1c1eb329a2b610029bfc5a3b80e7aeb0a9c9fc7f2509db2.EXE	cmd.exe
PID 1840 wrote to memory of 1828	1840	988dca6269410339e1c1eb329a2b610029bfc5a3b80e7aeb0a9c9fc7f2509db2.EXE	cmd.exe
PID 1592 wrote to memory of 1764	1592	alxaq.EXE	conhost.exe
PID 1592 wrote to memory of 1764	1592	alxaq.EXE	conhost.exe
PID 1592 wrote to memory of 1764	1592	alxaq.EXE	conhost.exe
PID 1592 wrote to memory of 1764	1592	alxaq.EXE	conhost.exe
PID 1592 wrote to memory of 1764	1592	alxaq.EXE	conhost.exe
PID 1592 wrote to memory of 1228	1592	alxaq.EXE	DllHost.exe
PID 1592 wrote to memory of 1228	1592	alxaq.EXE	DllHost.exe
PID 1592 wrote to memory of 1228	1592	alxaq.EXE	DllHost.exe
PID 1592 wrote to memory of 1228	1592	alxaq.EXE	DllHost.exe
PID 1592 wrote to memory of 1228	1592	alxaq.EXE	DllHost.exe
PID 1592 wrote to memory of 1580	1592	alxaq.EXE	DllHost.exe
PID 1592 wrote to memory of 1580	1592	alxaq.EXE	DllHost.exe
PID 1592 wrote to memory of 1580	1592	alxaq.EXE	DllHost.exe

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1128

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1284

C:\Users\Admin\AppData\Local\Temp\988dca6269410339e1c1eb329a2b610029bfc5a3b80e7aeb0a9c9fc7f2509db2.exe
"C:\Users\Admin\AppData\Local\Temp\988dca6269410339e1c1eb329a2b610029bfc5a3b80e7aeb0a9c9fc7f2509db2.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1184

C:\Users\Admin\AppData\Local\Temp\988dca6269410339e1c1eb329a2b610029bfc5a3b80e7aeb0a9c9fc7f2509db2.EXE
"C:\Users\Admin\AppData\Local\Temp\988dca6269410339e1c1eb329a2b610029bfc5a3b80e7aeb0a9c9fc7f2509db2.EXE"
3⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1840

C:\Users\Admin\AppData\Roaming\Sauxu\alxaq.exe
"C:\Users\Admin\AppData\Roaming\Sauxu\alxaq.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1588

C:\Users\Admin\AppData\Roaming\Sauxu\alxaq.EXE
"C:\Users\Admin\AppData\Roaming\Sauxu\alxaq.EXE"
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1592

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp39a1ca67.bat"
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1828

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1220

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-978413527-671147033-169569890864978759-19828003671927373744-321206093-251449120"
1⤵
PID:1764

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:1228

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1580

C:\Program Files\Windows Mail\WinMail.exe
"C:\Program Files\Windows Mail\WinMail.exe" -Embedding
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1928

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:1624

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Baba\mopo.ogr
Filesize
398B

MD5
5b3b75d250737e47f5437d6e09be8350

SHA1
da4f139e4d6dadf195d1f71eaf4a5daeb98d2d05

SHA256
2e3f37106eab561bf0b62da3249ce27823266e88ad8283b3d44a51c2e88411f8

SHA512
8ffc136e17c9269429b8cfde2ce9a335e4e8fbbf39d647a2f7366e7eb30933c15273c0954b95c2feeaca75bf7852dad21894196e0318297eb1734061b456aace

Download Submit
C:\Users\Admin\AppData\Roaming\Sauxu\alxaq.EXE
Filesize
236KB

MD5
ee5c1085ebfae88481fffeb218594bd5

SHA1
37a1d98086f4922ab1483ea6f4059f39c0ae587c

SHA256
bffa3b80a5e22b39c4f29865a0c66c6d2b61f33b50cc9aa3168c0e04ec1ea6fa

SHA512
194fc6072441265aa35e764ceca5c8511ef143f1f91d83345c0afa24cc3743a2c50369616e5e893e71be9f886cd099f6dbed29ce40e990304aa9e2b7a4ddf17d

Download Submit
C:\Users\Admin\AppData\Roaming\Sauxu\alxaq.exe
Filesize
236KB

MD5
ee5c1085ebfae88481fffeb218594bd5

SHA1
37a1d98086f4922ab1483ea6f4059f39c0ae587c

SHA256
bffa3b80a5e22b39c4f29865a0c66c6d2b61f33b50cc9aa3168c0e04ec1ea6fa

SHA512
194fc6072441265aa35e764ceca5c8511ef143f1f91d83345c0afa24cc3743a2c50369616e5e893e71be9f886cd099f6dbed29ce40e990304aa9e2b7a4ddf17d

Download Submit
C:\Users\Admin\AppData\Roaming\Sauxu\alxaq.exe
Filesize
236KB

MD5
ee5c1085ebfae88481fffeb218594bd5

SHA1
37a1d98086f4922ab1483ea6f4059f39c0ae587c

SHA256
bffa3b80a5e22b39c4f29865a0c66c6d2b61f33b50cc9aa3168c0e04ec1ea6fa

SHA512
194fc6072441265aa35e764ceca5c8511ef143f1f91d83345c0afa24cc3743a2c50369616e5e893e71be9f886cd099f6dbed29ce40e990304aa9e2b7a4ddf17d

Download Submit
\Users\Admin\AppData\Roaming\Sauxu\alxaq.exe
Filesize
236KB

MD5
ee5c1085ebfae88481fffeb218594bd5

SHA1
37a1d98086f4922ab1483ea6f4059f39c0ae587c

SHA256
bffa3b80a5e22b39c4f29865a0c66c6d2b61f33b50cc9aa3168c0e04ec1ea6fa

SHA512
194fc6072441265aa35e764ceca5c8511ef143f1f91d83345c0afa24cc3743a2c50369616e5e893e71be9f886cd099f6dbed29ce40e990304aa9e2b7a4ddf17d

Download Submit
\Users\Admin\AppData\Roaming\Sauxu\alxaq.exe
Filesize
236KB

MD5
ee5c1085ebfae88481fffeb218594bd5

SHA1
37a1d98086f4922ab1483ea6f4059f39c0ae587c

SHA256
bffa3b80a5e22b39c4f29865a0c66c6d2b61f33b50cc9aa3168c0e04ec1ea6fa

SHA512
194fc6072441265aa35e764ceca5c8511ef143f1f91d83345c0afa24cc3743a2c50369616e5e893e71be9f886cd099f6dbed29ce40e990304aa9e2b7a4ddf17d

Download Submit
memory/1128-89-0x0000000000410000-0x0000000000437000-memory.dmp

Filesize
156KB

Download
memory/1128-88-0x0000000000410000-0x0000000000437000-memory.dmp

Filesize
156KB

Download
memory/1128-91-0x0000000000410000-0x0000000000437000-memory.dmp

Filesize
156KB

Download
memory/1128-90-0x0000000000410000-0x0000000000437000-memory.dmp

Filesize
156KB

Download
memory/1220-95-0x00000000001A0000-0x00000000001C7000-memory.dmp

Filesize
156KB

Download
memory/1220-94-0x00000000001A0000-0x00000000001C7000-memory.dmp

Filesize
156KB

Download
memory/1220-96-0x00000000001A0000-0x00000000001C7000-memory.dmp

Filesize
156KB

Download
memory/1220-97-0x00000000001A0000-0x00000000001C7000-memory.dmp

Filesize
156KB

Download
memory/1228-134-0x0000000001B40000-0x0000000001B67000-memory.dmp

Filesize
156KB

Download
memory/1228-135-0x0000000001B40000-0x0000000001B67000-memory.dmp

Filesize
156KB

Download
memory/1228-136-0x0000000001B40000-0x0000000001B67000-memory.dmp

Filesize
156KB

Download
memory/1228-137-0x0000000001B40000-0x0000000001B67000-memory.dmp

Filesize
156KB

Download
memory/1284-102-0x0000000002A10000-0x0000000002A37000-memory.dmp

Filesize
156KB

Download
memory/1284-100-0x0000000002A10000-0x0000000002A37000-memory.dmp

Filesize
156KB

Download
memory/1284-101-0x0000000002A10000-0x0000000002A37000-memory.dmp

Filesize
156KB

Download
memory/1284-103-0x0000000002A10000-0x0000000002A37000-memory.dmp

Filesize
156KB

Download
memory/1588-70-0x0000000000000000-mapping.dmp

Download
memory/1592-110-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1592-119-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1592-82-0x0000000000413048-mapping.dmp

Download
memory/1764-131-0x0000000000140000-0x0000000000167000-memory.dmp

Filesize
156KB

Download
memory/1764-130-0x0000000000140000-0x0000000000167000-memory.dmp

Filesize
156KB

Download
memory/1764-129-0x0000000000140000-0x0000000000167000-memory.dmp

Filesize
156KB

Download
memory/1764-128-0x0000000000140000-0x0000000000167000-memory.dmp

Filesize
156KB

Download
memory/1828-117-0x0000000000050000-0x0000000000077000-memory.dmp

Filesize
156KB

Download
memory/1828-122-0x0000000000062CBA-mapping.dmp

Download
memory/1828-144-0x0000000000050000-0x0000000000077000-memory.dmp

Filesize
156KB

Download
memory/1828-125-0x0000000000050000-0x0000000000077000-memory.dmp

Filesize
156KB

Download
memory/1828-114-0x0000000000050000-0x0000000000077000-memory.dmp

Filesize
156KB

Download
memory/1828-118-0x0000000000050000-0x0000000000077000-memory.dmp

Filesize
156KB

Download
memory/1828-116-0x0000000000050000-0x0000000000077000-memory.dmp

Filesize
156KB

Download
memory/1840-65-0x0000000074FA1000-0x0000000074FA3000-memory.dmp

Filesize
8KB

Download
memory/1840-111-0x0000000000280000-0x0000000000299000-memory.dmp

Filesize
100KB

Download
memory/1840-120-0x0000000000280000-0x0000000000299000-memory.dmp

Filesize
100KB

Download
memory/1840-62-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1840-107-0x0000000000280000-0x00000000002A7000-memory.dmp

Filesize
156KB

Download
memory/1840-124-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1840-106-0x0000000000280000-0x00000000002A7000-memory.dmp

Filesize
156KB

Download
memory/1840-57-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1840-109-0x0000000000280000-0x00000000002A7000-memory.dmp

Filesize
156KB

Download
memory/1840-66-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1840-67-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1840-63-0x0000000000413048-mapping.dmp

Download
memory/1840-60-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1840-56-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1840-59-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1840-108-0x0000000000280000-0x00000000002A7000-memory.dmp

Filesize
156KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads